Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4025227ybl; Mon, 3 Feb 2020 11:05:20 -0800 (PST) X-Google-Smtp-Source: APXvYqy6LqSZY5vMgfZPs/HySBt0nZKqi88Hv453vTpQKf+P9W+9s6i0RYTzvM4tLCtvq8rk9da7 X-Received: by 2002:aca:f517:: with SMTP id t23mr352289oih.160.1580756720012; Mon, 03 Feb 2020 11:05:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580756720; cv=none; d=google.com; s=arc-20160816; b=XXtWa6fib5j/PuTUk9lCs8TyWFH4o/KdpFvmWUntSto2pi7EsqSJS8FcVbE+iYQPMd /GjZjSoK6wHa6iR/m+mrYo2UWRc2EgNB0qROjKdOpajZa04i6tow7Z1Rv0CC8m3ApyQu obUKXxw0tPVpDT5eexSGEYKF+sKvYF06q/zqfWGiAmYxNx1Xy6h1R0c+5jyAHpSjUIx5 7UmpuROBMbuTQ52fwfUWnKXajKI6hoNGemkf+o7IKTO0YoysWKtP1j0D6jqH69JKnY4s wa1BLtKJCvHorVzSkT7tnCbxAtlo67ouuoU6JbWtQgbHJqMB4s8T/ypm8W3RqHr74vrp fJfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=EHOCrvG2SlfYW6R8phXN4TxdNLdqckAcZEAhQYo3Aq0=; b=khzEIRtqTEd6DdjirShBGVYTpCgLugX7qD1xw6TwsXQgmN0bT2XEBfTJkAtlz3hqQ2 Q/cLpfeigOOmNL27sB1JY4bmK4IdW8onsTd1vyO54ugSOzw2n/lvBNTNNuUHjz0DrAvS mUd7Vt8J6tAHyOhjoMLiXgSc5wi4aBj3CB1187jsSclFFZwnfmQY/wmgZD4cWSoZdLKV bMjtPQxTTjRMJ29oubuxC9XQrCMtxIhvvZrQACVeKbvz4rSASxbtymzK2rytsoNcq3IT 4lti1UqrtQMOfGPwC5snQctdw+2eQm4flh83gKSl5Wnpv1frnDFrkiwPVQVbxcMqI0Ym TEaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="nPhpsv/I"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r22si9381471otn.192.2020.02.03.11.05.07; Mon, 03 Feb 2020 11:05:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="nPhpsv/I"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729627AbgBCQ2h (ORCPT + 99 others); Mon, 3 Feb 2020 11:28:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:40146 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729601AbgBCQ2b (ORCPT ); Mon, 3 Feb 2020 11:28:31 -0500 Received: from localhost (unknown [104.132.45.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8DDA521582; Mon, 3 Feb 2020 16:28:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580747311; bh=Dp+l0yRnGI0bXRovKJ2GdW24jlEgCsxIEgc95RIByA0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nPhpsv/IA52/OYL/1coCe+riO+k61kzyjs5yWLhfjwtyJUyImkbkJ4W862Bj1i9wg pwSLUomPiOjiBq2eGGUnzyea6rAwvpNuwsbN2TifWqj6i8GX2764VXRHcpAZSwZAhH KJjI4yuwi7mTeBzZZ+eEFO9+DQCsAkhWD3sDOzIM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com, Prameela Rani Garnepudi , Amitkumar Karwar , Johan Hovold , Kalle Valo Subject: [PATCH 4.14 31/89] rsi: fix use-after-free on probe errors Date: Mon, 3 Feb 2020 16:19:16 +0000 Message-Id: <20200203161920.975871420@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200203161916.847439465@linuxfoundation.org> References: <20200203161916.847439465@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 92aafe77123ab478e5f5095878856ab0424910da upstream. The driver would fail to stop the command timer in most error paths, something which specifically could lead to the timer being freed while still active on I/O errors during probe. Fix this by making sure that each function starting the timer also stops it in all relevant error paths. Reported-by: syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com Fixes: b78e91bcfb33 ("rsi: Add new firmware loading method") Cc: stable # 4.12 Cc: Prameela Rani Garnepudi Cc: Amitkumar Karwar Signed-off-by: Johan Hovold Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/rsi/rsi_91x_hal.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/drivers/net/wireless/rsi/rsi_91x_hal.c +++ b/drivers/net/wireless/rsi/rsi_91x_hal.c @@ -541,6 +541,7 @@ static int bl_cmd(struct rsi_hw *adapter bl_start_cmd_timer(adapter, timeout); status = bl_write_cmd(adapter, cmd, exp_resp, ®out_val); if (status < 0) { + bl_stop_cmd_timer(adapter); rsi_dbg(ERR_ZONE, "%s: Command %s (%0x) writing failed..\n", __func__, str, cmd); @@ -656,10 +657,9 @@ static int ping_pong_write(struct rsi_hw } status = bl_cmd(adapter, cmd_req, cmd_resp, str); - if (status) { - bl_stop_cmd_timer(adapter); + if (status) return status; - } + return 0; } @@ -749,10 +749,9 @@ static int auto_fw_upgrade(struct rsi_hw status = bl_cmd(adapter, EOF_REACHED, FW_LOADING_SUCCESSFUL, "EOF_REACHED"); - if (status) { - bl_stop_cmd_timer(adapter); + if (status) return status; - } + rsi_dbg(INFO_ZONE, "FW loading is done and FW is running..\n"); return 0; } @@ -773,6 +772,7 @@ static int rsi_load_firmware(struct rsi_ status = hif_ops->master_reg_read(adapter, SWBL_REGOUT, ®out_val, 2); if (status < 0) { + bl_stop_cmd_timer(adapter); rsi_dbg(ERR_ZONE, "%s: REGOUT read failed\n", __func__); return status;